Security

Your code never leaves
your machine

Operon captures every prompt, response, and decision from your AI coding sessions. That data is sensitive. Here's exactly how we protect it.

Local-first by defaultNo code transmissionRLS on every cloud tableHMAC-verified webhooksOpt-in telemetryZod-validated RPC
Architecture

How your data flows

By design, Operon keeps your development data local. Cloud sync is strictly opt-in and limited to metadata — never source code.

Your Machine

Local components

  • AI Tools — Claude Code, Cursor, Codex, Gemini CLI, Aider
  • Terminal Daemon — persistent PTY session manager
  • Hook Receiver — localhost:47777, auth token required
  • SQLite Database — local only, WAL mode, crash-safe
  • Event Bus — typed async channel, in-process only

Everything above stays on your machine forever.

Optional — Cloud Sync

Team tier only (off by default)

  • RLS policies — per-user isolation enforced at DB layer
  • Encrypted transit — HTTPS/TLS to Supabase
  • userId ownership — verified on every query
  • Realtime sync — authenticated WebSocket, no polling

What syncs (metadata only):Events & traces, Tasks & decisions, Token usage stats, Session metadata.

Source code never syncs — ever.

Core Principles

Four guarantees we stand behind

These aren't aspirational policies — every item below is implemented and shipped in the current release.

01 / LOCAL-FIRST

Local-First by Default

  • All data stored in local SQLite database
  • WAL mode for crash-safe writes
  • Schema versioning with migrations
  • Integrity checks and auto-backup on corruption
  • Zero cloud dependency in solo mode
02 / NO EXFILTRATION

No Code Transmission

  • Operon observes — it never sends your code anywhere
  • Terminal output stays on your machine
  • File contents analyzed locally, never uploaded
  • Git diffs computed locally via simple-git
  • Cloud sync: metadata only, never source code
03 / HOOK AUTH

Authenticated Hook System

  • Hook receiver bound to 127.0.0.1 only (localhost)
  • Persistent auth token stored in ~/.operon/config.json
  • Token validated on every hook event
  • Separate MCP write token from hook auth token
  • No external network access required
04 / ISOLATION

Data Isolation

  • userId ownership checks on all IPC handlers
  • verifySessionAccess / verifyProjectAccess guards
  • Scoped data exports per user
  • Sign-out teardown: end sessions, kill PTYs, stop watchers
  • SyncEngine backfill claims only recent data (last 60s)
Team Tier

Cloud Sync Security

Team sync is opt-in and strictly scoped. You decide what leaves your machine — and even when it does, source code never travels.

What syncs

  • Events, traces, and tool execution records
  • Tasks, decisions, and flight plan steps
  • Token usage and cost statistics
  • Session metadata (name, duration, project)
  • Context monitor snapshots

What NEVER syncs

  • Source code or file contents — ever
  • Terminal output or raw shell buffers
  • Raw git diffs (tool execution summaries may include code context — configurable per-project)
  • Raw terminal output and shell buffers
  • Local file paths or directory structures
Transport

HTTPS/TLS to Supabase — all data encrypted in transit

Storage

PostgreSQL with Row Level Security (RLS) — per-user isolation enforced at DB layer on every cloud_* table

Auth

Supabase Auth — GitHub/Google OAuth and email/password with CSRF validation

Team isolation

Team membership verified on every query — project-scoped data access

Real-time

Supabase Realtime via authenticated WebSocket — no polling, no shared channels

Outbox pattern

Sync uses outbox + conflict resolution — offline-safe with no data loss

Backfill safety

SyncEngine only claims sessions from the last 60 seconds on initial sign-in — never claims all NULL-owned local data

ID mapping

Local proj_xxx identifiers translated to cloud UUIDs at sync time — no cross-user identifier collisions

Tool execution records (including inputs/outputs) sync by default. Disable per-project with the sync_code_content setting.

Row-Level Security

Every cloud table, row-level isolated

Row Level Security (RLS) is enforced at the Postgres layer on every cloud_*table. No application bug can leak data across users or teams — the DB itself refuses to serve rows that don't match the requesting identity.

Protected tables

10+ cloud tables with RLS

  • profiles
  • teams + team_members + invites
  • devices
  • sync_records + sync_state + audit_log
  • cloud_sessions + cloud_traces + cloud_tasks
  • cloud_decisions + cloud_events + cloud_plans
  • cloud_project_memory + cloud_patterns
  • cloud_checkpoints + cloud_memory_audit
  • cloud_orchestration_plans + cloud_orchestration_subtasks
  • session_replays
How it works

Identity-bound reads and writes

  • Every query is authenticated via Supabase JWT — no anonymous access
  • Policies check auth.uid() against user_id / team_id on every row
  • Admin roles use explicit service-role keys with full audit logging
  • Team membership is re-verified on every read — leaving the team removes access immediately
  • No raw SQL paths bypass RLS — all access goes through PostgREST
Telemetry — Opt-in only

Error reports only with your consent

Operon's error reporter is wired through a consent store and a Sentry adapter — but neither runs unless you've explicitly opted in. And even then, an env-disable flag overrides consent.

01 / NO-OP BY DEFAULT

Consent denied = zero telemetry

When consent is denied, Operon instantiates a no-op error reporter. No network calls, no Sentry initialization, no background hooks. The code path literally does nothing.

02 / CONSENT + ENV BOTH REQUIRED

Double gate

Telemetry requires both user consent AND the absence of OPERON_DISABLE_TELEMETRY=1. Either gate closed = no telemetry. Enterprise installs can hard-disable via env without touching user settings.

03 / CONSENT AUDIT TRAIL

Every change logged

Consent grants and revocations are persisted to thetelemetry_consent table with timestamps. Revoke anytime from Settings; the no-op reporter takes over on next app start.

Application Security

Defense in depth

Operon is an Electron app — an attack surface we take seriously. Here's the full list of security controls in the current release.

  • Content Security PolicyCSP headers restrict script execution to known origins — inline script injection blocked at the Electron layer.
  • Web SecurityElectron webSecurity is enabled. Node integration is off in the renderer process — no direct Node.js access from renderer code.
  • Single Instance LockPrevents multiple Operon processes from running simultaneously — eliminates race conditions on local data and PTY ownership conflicts.
  • Typed RPC with zod validationEvery main-process subsystem registers typed handlers via a Proxy-based RPC router. Every payload is zod-validated at the boundary before it touches business logic. Renderer calls via auto-typed rpc.* proxies — no string-indexed IPC channels.
  • IPC ValidationAll IPC handlers enforce: path traversal prevention with home boundary checks, tool enum validation, and string length limits on all inputs.
  • Per-User Data IsolationuserId ownership guards run on every IPC handler and every engine query (SessionDNA, CrossSessionAnalyzer, TeamAnalyzer). verifySessionAccess / verifyProjectAccess enforce scope at query time — no cross-user data access paths.
  • Error BoundariesReact ErrorBoundary catches renderer crashes — uncaught errors are isolated and displayed without crashing the entire UI or losing session state.
  • Buffer LimitsShell buffer capped at 512KB, response buffer at 256KB — prevents unbounded memory growth from runaway AI sessions or large terminal outputs.
  • OAuth CSRF ProtectionState parameter generated and validated on all OAuth flows — GitHub and Google sign-in both protected against cross-site request forgery.
  • Credential Storage via KeytarSSH connection credentials and integration tokens (Linear / GitHub / Jira) are stored in the OS keychain via keytar — never in plaintext config, never in the SQLite database.
  • HMAC-verified WebhooksGitHub and Linear webhook receivers verify HMAC-SHA256 signatures on every inbound request. Failed signature = 401 with explicit error. No silent drops, no unauthenticated triggers.
  • Injectable SSH FactoryThe SSH connection pool accepts an injectable ssh2 factory — swappable for audit reviews, mocking in tests, or self-hosted identity systems. Transparency by design.
  • Opt-In TelemetryTelemetry consent is explicit per-install. ErrorReporter uses a Sentry adapter only when consent is granted AND no env-disable flag is set — otherwise a no-op reporter wins. Consent + env both required.
Agent Guardrails

Execution security

AI agents are powerful — but unconstrained agents are a liability. Operon's harness enforces boundaries at the OS level, requires explicit approval at every step, and logs everything for audit.

SCOPE ENFORCEMENT

Scope Enforcement

  • Agents are restricted to developer-defined file boundaries
  • Out-of-scope writes are detected in ~100ms via file system monitoring
  • Violations trigger automatic git revert + PTY pause
  • No tool cooperation required — enforcement works at the OS level
CHECKPOINT GATES

Checkpoint Gates

  • Every plan step requires explicit developer approval
  • Git snapshots created at each checkpoint for rollback
  • Confidence scoring flags high-risk operations before approval
INTENT MONITORING

Intent Monitoring

  • Real-time drift detection catches agents that exceed their mandate
  • Heuristic-based (no data leaves your machine)
AUDIT TRAIL

Audit Trail

  • Every scope violation, checkpoint approval, and intent drift is logged
  • Full audit trail synced to cloud for team visibility
  • Decision log with rationale for every architectural choice
SESSION REPLAY

Session Replay for Compliance

  • Complete session recordings for review and audit
  • Redaction controls for sensitive data
  • Expiring links for controlled sharing
Data Lifecycle

Your data, your terms

We're explicit about what we keep, where, and for how long.

Local Data

Stays on your machine forever. You own it — no expiry, no remote deletion. Export to JSON or CSV anytime from the Settings page.

Cloud Data

Retained while your account is active. Full deletion on account removal — no ghost records. GDPR-compliant deletion within 30 days.

Team Data

Scoped to team boundaries. Data removed from team namespace when a member leaves. Team admin can audit and export all team records.

Schema Backups

Local SQLite is automatically backed up before schema migrations. Corruption recovery: integrity check, auto-backup, and fresh DB on failure.

Coming Next

Security Roadmap

Transparency means showing what's built and what's next. These features are scoped, designed, and in the queue.

Planned

E2E Encryption

Encrypt sync payloads with team passphrase before Supabase storage — zero-knowledge metadata sync

Planned

Per-User Data Encryption

Encrypt SQLite at rest for shared-machine users — each profile fully isolated with its own key

Planned

Self-Hosted Relay

Docker container with Postgres for enterprise deployments — no Supabase dependency, full data residency control

Planned

Offline Auth Cache

Persist JWT locally for trusted offline startup — no more unauthenticated state on network loss

Planned

SOC 2 Compliance

Formal audit trail and compliance certification — required for regulated-industry and enterprise customers

Found a vulnerability?

We take responsible disclosure seriously. If you've found a security issue, please reach out directly — we keep all reports confidential.

security@operonapp.dev

We respond to all reports within 48 hours.

Security-first, always

Local-first, transparent, and security-first from day one. Free during beta.

Join the waitlist →View pricing